FTC FACT Act Red Flags Rule Template
Important: If you choose to use this template as a guide, you must adapt it to reflect your individual firm. Without the analysis and modification required to fit your firm’s situation,your Identity Theft Prevention Program (ITPP)will not comply with regulatory requirements.
This template is an optional guide for firms to assist them in fulfilling their requirements under the Federal Trade Commission’s (FTC) Red Flags Rule, which implements obligations imposed by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The Red Flags Rule requires specified firms to create a written Identity Theft Prevention Program (ITPP) designed to identify, detect and respond to “red flags”—patterns, practices or specific activities—that could indicate identity theft. “Identity theft” is a fraud committed or attempted using the identifying information of another person without authority.
Template Use
The obligation to develop a written Red Flags Rule ITPP is not a “one-size-fits-all” requirement, soyou must customize this template to fit your particular firm’s situation.If any of the language does not adequately address your firm’s business situation, you will need to prepare your own language. You are responsible for ensuring that the program fits your firm’s business and that you implement the program. The language in this template is designed to be a starting point and to walk you through developing your firm’s ITPP. Following this template does not guarantee compliance, or create any safe harbor, with FTC or FINRA rules, the federal securities laws or state laws.
- TEXT EXAMPLESare provided in this template to give you sample language that you can modify to create your firm’s ITPP.
- Material in italics provides instructions, the relevant rules and other resources that you can use to develop your firm’s plan; you will likely want to delete this material—and the introductory material that is boxed in the first pages of this document (i.e., the material up to “[Firm Name]”)—from your final ITPP.
FTC Red Flags Rule Only
This template addresses only the FTC’s Red Flags Rule, which was adopted November 9, 2007, with an enforcement start date extended to December 31, 2010. It does not address the Identity Theft Red Flags Rules of the federal financial institution regulatory agencies (Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the National Credit Union Administration) that were also adopted November 9, 2007. It also does not address related FTC regulations, adopted on the same date, that require policies and procedures for 1) credit and debit card issuing firms to assess the validity of changes of address notifications and 2) credit report using firms to respond to a credit reporting agency’s notice of address discrepancy; enforcement of those regulations began November 1, 2008. If those regulations apply to your firm, FINRA expects it to have policies and procedures in place to comply with them.
Red Flags RuleCoverage and Periodic Review
Under the FTC Rule, your firm must prepare an ITPP if it is either a “financial institution” or a “creditor” and offers “covered accounts.” FINRA anticipates that most member firms will be required to prepare an ITPP under the Red Flags Rule. Even if it does not have to prepare an ITPP now, your firm must have internal controls to periodically review its operations, and prepare an ITPP if it later becomes a financial institution or a creditor that offers covered accounts.
Financial Institution. Your firm is a “financial institution” if it provides, either directly or indirectly through your clearing firm, consumer “transaction accounts,” which are accounts that allow account holders to make withdrawals for payment or transfer of funds to third parties bytelephone transfers, checks, debit cards or similar means. Since “consumer” is defined as an individual, a firm without individuals as clients would not be a financial institution under this definition.
Creditor. Your firm is a “creditor” if it regularly extends, renews or continues credit (such as margin) or arranges for itsextension, renewal or continuation (such as through a clearing firm). A firm that is not a financial institution because it has only institutional customers can still be a creditor if it extends credit, or arranges to extend credit, for any of its customers.
Covered Accounts. If your firm is either a financial institution or a creditor, you must then analyze whether it offers “covered accounts,” which are any accounts that either 1) your firm offers primarily for personal, family or household purposes and involve multiple payments(such as credit card, margin, checking or savings accounts), or 2) involve a reasonably foreseeable risk from identity theft to customers or the safety and soundness of your firm.
Send questions about complying with the Red Flags Rule to.
Rules: 16 Code of Federal Regulations (C.F.R.)§§ 681.1(b) and (d).
______
Program Elements
The four program elements for an ITPP specified in the FTC Red Flags Rule require your firm to:
(1) identify relevant red flags for the covered accounts that the firm offers or maintains, and incorporate those red flags into its ITPP;
(2) detectred flags that have been incorporated into the ITPP of the financial institution or creditor;
(3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
(4) update the ITPP and its red flags periodically to reflect changes in identity theft risks to customers and the firm.
Rules: 16 C.F.R.§681.1(d)(2).
______
Program Administration
To administer your ITPP, your firm must:
(1) get approval of the initial written ITPP from the firm’s board of directors, an appropriate committee of it, or, if there is no board, a designated member of senior management;
(2) involve the board, committee or the designated member of senior management in the oversight, development, implementation and administration of the ITPP;
(3) train staff to implement the ITPP; and
(4) oversee service provider arrangements.
Rules: 16 C.F.R.§681.1(e).
______
Resources
FINRA
- FINRA Regulatory Notice 08-69 (Fair and Accurate Credit Transactions Act of 2003)
- Podcast: FTC’s Red Flags Rule Template
- Podcast: FACT Act Red Flags Rule
- Regulation S-P: Privacy of Consumer Financial Information, including Final Rule, 2005 Amendment, 2008 Proposed Amendments, FINRA Comment Letter on 2008 Proposed Amendments and FAQ
FTC
- FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule(Delay of Enforcement Until December 31, 2010)
- FTC Extends Enforcement Deadline for Identity Theft RedFlags Rule (Delay of Enforcement Until June 1, 2010)
- FTC’s Fighting Fraud with the Red Flags Rule: A How-To Guide for Business
- Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, Federal Trade Commission and the Federal Financial Institution Regulatory Agencies (FTC Red Flags Rule)
- FTC’s Complyingwiththe Red Flags Rule: Do-It-Yourself Program for Businesses at Low Risk For Identity Theft
- FTC Identity Theft Site
Other
- e-CFR Title 16 Commercial Practices Part 681–Identity Theft Rules
- Guidance on Authentication in Internet Banking Environment- Federal Financial Institutions Examination Council's (FFIEC)
- Treasury Final Rule Regarding Broker/Dealer Customer Identification Programs (05/09/03)(under Anti-Money Laundering (AML) Rules and Regulations on FINRA’s AML Web page)
1
[Firm Name]
Identity Theft Prevention Program (ITPP) under the FTC FACT Act Red Flags Rule
I.Firm Policy
State your firm’s objectives for your ITPP.
TEXT EXAMPLE: Our firm’s policy is to protect our customers and their accounts from identity theftand to comply with the FTC’s Red Flags Rule. We will do this by developing and implementing this written ITPP, which is appropriate to our size and complexity, as well as the nature and scope of our activities. This ITPP addresses 1) identifying relevant identity theft Red Flags for our firm, 2) detecting those Red Flags, 3) responding appropriately to any that are detected to prevent and mitigate identity theft, and 4) updating our ITPP periodically to reflect changes in risks.
Our identity theft policies, procedures and internal controls will be reviewed and updated periodically to ensure they account for changes both in regulations and in our business.
Rule: 16 C.F.R. § 681.1(d).
II.ITPP Approval and Administration
State who is responsible for initial approval of this ITTP, which should be your board of directors or an appropriate board committee; or, if you have no board, a designated member of senior management. State who is responsible for the oversight, development, implementationand administration of theITPP, which may be a designated member of senior management, your board or a board committee.
TEXT EXAMPLE: The firm’s Board of Directors, or the [Name] Committee of the Board, or [Name, title], a member of senior management,approved this initial ITPP. [Name, title], a member of senior management, is the designated identity theft officer and is responsible for the oversight, development, implementation and administration (including staff training and oversight of third party service providers of ITTP services) of this ITPP.
Rule: 16 C.F.R. § 681.1(e) and Appendix A, Section VI.(a).
III.Relationship to Other Firm Programs
Describe how this ITPP relates to your firm’s other programs to protect customer data, such as the data safekeeping and disposal procedures under Regulation S-P, your Customer Identification Program (“CIP”) and red flags detection under your AML Compliance Program.
TEXT EXAMPLE: We have reviewed other policies, procedures and plans required by regulations regarding the protection of our customer information, including our policies and procedures under Regulation S-P, [and] our CIP and red flags detection under our AML Compliance Program [and list any others] in the formulation of this ITPP, and modified either them or this ITPP to minimize inconsistencies and duplicative efforts.
Rule: 16 C.F.R. § 681.1,Appendix A, Section I.
IV.Identifying Relevant Red Flags
To identify relevant identity theft Red Flags, your firm must assess certainrisk factors andsources, as well as the categories andexamples listed in Supplement A to Appendix A of the FTC’s Red Flags Rule (See Resources, above). This consideration forms the basis for modifying the attached Red Flag Identification and Detection Gridto cover your firm’s situation and experience.
TEXT EXAMPLE:To identify relevantidentity theft Red Flags, our firmassessed these risk factors: 1) the types of covered accounts it offers, 2) the methods it provides to open or access these accounts, and 3) previous experience with identity theft. Our firm also considered the sources of Red Flags, including identity theft incidents our firm has experienced, changing identity theft techniques our firm thinks likely, and applicable supervisory guidance. In addition, we considered Red Flags from the following five categories (and the 26 numbered examples under them) from Supplement A to Appendix A of the FTC’s Red Flags Rule, as they fit our situation: 1) alerts, notifications or warnings from a credit reporting agency; 2) suspicious documents; 3) suspicious personal identifying information; 4) suspicious account activity; and 5) notices from other sources. We understand that some of these categories and examples may not be relevant to our firm and some may be relevant only when combined or considered with other indicators of identity theft. We also understand that the examples are not exhaustive or a mandatory checklist, but a way to help our firm think through relevant red flags in the context of our business. Based on this review of the risk factors, sources, and FTC examples of red flags, we have identified our firm’s Red Flags, which are contained the first column (“Red Flag”) of the attached “Red Flag Identification and Detection Grid” (“Grid”).
Rule: 16 C.F.R. § 681.1(d)(2)(i) and Appendix A, Section II.
V.Detecting Red Flags
Your firm’s ITPP must address how, in connection with opening and maintenance its covered accounts, it will detect the Red Flags it identified in Part IV above and set out in the first column of attached Grid. For opening covered accounts, that can include getting identifying information about and verifying the identity of the person opening the account by using your CIP. For existing covered accounts, it can include authenticating customers, monitoring transactions, and verifying the validity of changes of address. How your firm will detect each of its identified Red Flags is to be set out in the second column of the attached Grid.
TEXT EXAMPLE: We have reviewed our covered accounts, how we open and maintain them, and how to detect Red Flags that may have occurred in them. Our detection of those Red Flags is based on our methods of getting information about applicants and verifying it under our CIP of our AML compliance procedures, authenticating customers who access the accounts, and monitoring transactions and change of address requests. For opening covered accounts, that can include getting identifying information about and verifying the identity of the person opening the account by using the firm’s CIP. For existing covered accounts, it can include authenticating customers, monitoring transactions, and verifying the validity of changes of address. Based on this review, we have includedin the second column (“Detecting the Red Flag”) of the attached Grid how we will detect each of our firm’s identified Red Flags.
Rule: 16 C.F.R. § 681.1(d)(2)(ii) and Appendix A, Section III.
VI.Preventing and Mitigating Identity Theft
Your firm’s ITPP must provide responses to its detected Red Flags that match the risk involved.
TEXT EXAMPLE: We have reviewed our covered accounts, how we open and allow access to them, and our previous experience with identity theft, as well as new methods of identity theft we have seen or foresee as likely. Based on this and our review of the FTC’s identity theft rules and its suggested responses to mitigate identity theft, as well as other sources, we have developed our procedures below to respond to detected identity theft Red Flags.
Procedures to Prevent and Mitigate Identity Theft
When we have been notified of a Red Flag or our detection procedures show evidence of a Red Flag, we will take the steps outlined below, as appropriate to the type and seriousness of the threat:
Applicants. For Red Flags raised by someone applying for an account:
- Review the application. We will review the applicant’s information collected for our CIP under our AML Compliance Program (e.g., name, date of birth, address, and an identification number such as a Social Security Number or Taxpayer Identification Number).
- Get government identification. If the applicant is applying in person, we will also check a current government-issued identification card, such as a driver’s license or passport. If the applicant is submitting an electronic application via our Web site, we will use [describe your Internet authentication methods; under Resources, above,see theGuidance on Authentication in an Internet Banking Environment-Federal Financial Institutions Examination Council's (FFIEC)].
- Seek additional verification. If the potential risk of identity theft indicated by the Red Flag is probable or large in impact, we may also verify the person’s identity through non-documentary CIP methods, including:
- Contacting the customer
- Independently verifying the customer’s information by comparing it with information from a credit reporting agency, public database or other source such as a data broker [or] the Social Security Number Death Master File [or list other sources]
- Checking references with other affiliatedfinancial institutions, or
- Obtaining a financial statement.
- Deny the application. If we find that the applicant is using an identity other than his or her own, we will deny the account.
- Report. If we find that the applicant is using an identity other than his or her own, we will report it to appropriate local and state law enforcement; where organized or wide spread crime is suspected, the FBI or Secret Service;and if mail is involved, the US Postal Inspector. We may also, as recommended by FINRA’s Customer Information Protection web page’s “Firm Checklist for Compromised Accounts,” report it to our FINRA coordinator; the SEC; State regulatory authorities, such as the state securities commission;and our clearing firm.
- Notification. If we determine personally identifiable information has been accessed, we will prepare any specific notice to customers or other required notice under state law. [Note: SeeNational Conference of State Legislators’ listing of state notification requirements (This site may not be updated or comprehensive. Each firm is responsible to research all applicable state requirements. State and local laws and regulations are not uniform. All broker-dealers must have policies and procedures reasonably designed to prevent and detect violations of the laws and regulations of the jurisdictions in which they operate.)]
Access seekers. For Red Flags raised by someone seeking to access an existing customer’s account: